Key Delegation for Controlling Access

1. A method for controlling access to an access object, wherein the access object is a lock for access to a physical space, the method being performed in an electronic key device and comprising the steps of: communicating with an access control device to obtain an identity of the access control device; sending an access request to a server, the access request comprising an identity of the electronic key device and the identity of the access control device; receiving a response from the server based on the server processing the access request, the response comprising a key delegation to the electronic key device; and sending a grant access request to the access control device, the grant access request comprising the key delegation, which configures the access control device to evaluate whether to grant access to the access object based on a plurality of delegations comprising a sequence of delegations from the access control device to the electronic key device such that, in the sequence of delegations, the delegator of a first delegation in the sequence of delegations is the access control device, and the last delegation is the key delegation, wherein each delegation is a data item that delegates an access right to the access object from a delegator to a receiver, wherein each delegation contains both a delegator identifier and a receiver identifier, and wherein the first delegation is implemented by assigning one or more owners in the configuration of the access control device.

2. The method according to claim 1 , wherein each delegation is of a same data structure.

3. The method according to claim 1 , wherein the key delegation is digitally signed by the delegator.

4. The method according to claim 1 , wherein the key delegation comprises a time constraint.

5. The method according to claim 1 , wherein the key delegation comprises an operation constraint.

6. The method according to claim 1 , wherein in the step of receiving a response, the response is based on the server verifying the existence of a user account associated with the identity of the electronic key device.

7. An electronic key device for controlling access to an access object, wherein the access object is a lock for access to a physical space, the electronic key device comprising: a processor; and a memory storing instructions that, when executed by the processor, causes the electronic key device to: communicate with an access control device to obtain an identity of the access control device; send an access request to a server, the access request comprising an identity of the electronic key device and the identity of the access control device; receive a response from the server based on the server processing the access request, the response comprising a key delegation to the electronic key device; and send a grant access request to the access control device, the grant access request comprising the key delegation, which configures the access control device to evaluate whether to grant access to the access object based on a plurality of delegations comprising a sequence of delegations from the access control device to the electronic key device such that, in the sequence of delegations, the delegator of a first delegation in the sequence of delegations is the access control device, and the last delegation is the key delegation, wherein each delegation is a data item that delegates an access right to the access object from a delegator to a receiver, wherein each delegation contains both a delegator identifier and a receiver identifier, and wherein the first delegation is implemented by assigning one or more owners in the configuration of the access control device.

8. The electronic key device according to claim 7 , wherein each delegation is of a same data structure.

9. The electronic key device according to claim 7 , wherein the key delegation is digitally signed by the delegator.

10. The electronic key device according to claim 7 , wherein the key delegation comprises a time constraint.

11. The electronic key device according to claim 7 , wherein the key delegation comprises an operation constraint.

12. The electronic key device according to claim 7 , wherein, the response is based on the server verifying the existence of a user account associated with the identity of the electronic key device.

13. A non-transitory computer program product comprising a computer program for controlling access to an access object, wherein the access object is a lock for access to a physical space, the computer program comprising computer program code which, when run on an electronic key device causes the electronic key device to: communicate with an access control device to obtain an identity of the access control device; send an access request to a server, the access request comprising an identity of the electronic key device and the identity of the access control device; receive a response from the server based on the server processing the access request, the response comprising a key delegation to the electronic key device; and send a grant access request to the access control device, the grant access request comprising the key delegation, which configures the access control device to evaluate whether to grant access to the access object based on a plurality of delegations comprising a sequence of delegations from the access control device to the electronic key device such that, in the sequence of delegations, the delegator of a first delegation in the sequence of delegations is the access control device, and the last delegation is the key delegation, wherein each delegation is a data item that delegates an access right to the access object from a delegator to a receiver, wherein each delegation contains both a delegator identifier and a receiver identifier, and wherein the first delegation is implemented by assigning one or more owners in the configuration of the access control device.